Penetration Testing mailing list archives
RE: Advanced Network Infrastructure Assessment Questions....
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Sun, 1 Jul 2007 14:22:14 -0700
Excellent reply Pete. As a moderator it makes my day when detailed responses like this are submitted. :) In my experience the most time consuming task is the audit and enumeration rules/ACL's etc of network devices. There are several tools out there in the Risk Assessment/Audit market which can help to expedite this portion (Cisco, SkyBox, Red Seal, etc). I've some experience on these tools and Red Seal is the only one (AFAIK) that offers a engagement or consulting-based solution which sounds like it would fit your needs. Grab the configs of the firewalls, routers, switches etc and it will build you a nice map and risk analysis which should help grab the low hanging fruit. It always nice to have a quick and easy way to show a client that if they change foo at X how it affects bar at Y and tools like Red Seal's allow a simple visual representation which easily translates to non-techs. As Pete mentions though, that part is only the beginning and the OSSTMM controls are a great guideline to follow to sniff out the non-obvious risks. -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Pete Herzog Sent: Sunday, July 01, 2007 9:35 AM To: Joseph McCray Cc: pen-test () securityfocus com Subject: Re: Advanced Network Infrastructure Assessment Questions.... Hi Joe, I know you're a smart security guy so I won't insult you with basic stuff you probably know but rather approach this as 3 possible tiers. Depending on your assessment (what you're promising or selling) you may want to just make sure that the routers/firewalls are working as designed for egress/ingress filtering, depth and level of that filtering, packet manipulation type from that filtering, packet contents added or removed with the filtering, holding states properly if so configured, controls and handling for accepted protocols (here the TCP/UDP/ICMP trinity is merly the start), and controlled access granted appropriately and to the right vector. And that's the unit itself. Then there's the environment around the unit, its processes and controls where they interact with other channels and vectors like people, telecommunications, wireless, etc. and from the inside, outside, or direct access. The third possibility is to test the systems themselves for vulnerabilities where the standard fare applies of validation of interactivity whether direct (interactive with the system) or indirect (system writes a log which is exploited). But that may not be something where you will find the average corporate customer buying. It all depends what you're doing or want to do. Of course the first 2 tiers can be repackaged into a variety of partials audits for various compliance objectives. Same chips, different colored bag, change flavoring powder to taste. One way we have been approaching the means of increasing the depth of security tests is to use the 10 controls of the OSSTMM as a starting point. It's an easy way of trying to find how and where that control is implemented in the security solution and what weaknesses it has. That list is available under the security metrics (RAVs) portion of OSSTMM 2.2 at www.osstmm.org. Here it is reprinted: Controls Controls are the 10 loss protection categories in two categories, Class A (interactive) and Class B (process). The Class A categories are authentication, indemnification, subjugation, continuity, and resilience. The Class B categories are non-repudiation, confidentiality, privacy, integrity, and alarm. Class A Authentication is the control of interaction requiring having both credentials and authorization where identification is required for obtaining both. Indemnification is the control over the value of assets by law and/or insurance to recoup the real and current value of the loss. Subjugation is the locally sourced control over the protection and restrictions of interactions by the asset responsible. Continuity is the control over processes to maintain access to assets in the events of corruption or failure. Resilience is the control over security mechanisms to provide protection to assets in the event of corruption or failure. Class B Non-repudiation prevents the source from denying its role in any interactivity regardless whether or not access was obtained. Confidentiality is the control for assuring an asset displayed or exchanged between parties can be known outside of those parties. Privacy is the control for the method of how an asset displayed or exchanged between parties can be known outside of those parties. Integrity is the control of methods and assets from undisclosed changes. Alarm is the control of notification that OPSEC or any controls have failed, been compromised, or circumvented. Sincerely, -pete. Joseph McCray wrote:I'm starting to do more and more network infrastructure assessment work (specifically auditingRouters/Switches/Firewalls/VPNs/etc), andI'm really looking to expand the scope of this service and make my audit as thorough as possible. Basically, the stuff that I'm hitting the hardest right nowis SNMP,TFTP, NTP, VPN psk stuff, firewall leak testing, and of course weak passwords/clear text protocols for network management. My most commonly used tools right now are: * nmap (obviously) * nessus * onesixtyone (and other snmp tools) * cisco-torch * cge.pl * ftester * ike-scan (and other scripts) Tools of interest for me are scapy and yersinia. Justreally haven'tsat down and learned them, but read about and have playedwith them alittle (never on an audit though). I'm looking for other things that I may beforgetting/neglecting. I'mrunning into a lot more non-cisco gear so that is new forme (Extreme,Foundry, Juniper, etc). So I'm looking for good general information that will help me improve my audits in that area. I'm specifically looking for more links on auditing NACsolutions (amethodology that I could follow or at least point me in the right direction). More stuff like this:https://www.blackhat.com/presentations/bh-europe-07/Dror-Thumann/Presentation/bh-eu-07-dror-ppt-apr19.pdfhttps://www.blackhat.com/presentations/bh-europe-07/Dror-Thumann/Whitepaper/bh-eu-07-dror-WP.pdf ...and Ofir Arkin's research onthe subjecthttp://media.blackhat.com/presentations/bh-dc-07/Arkin/Presentation/bh-dc-07-Arkin-ppt-up.pdf I'm also looking for people that are auditing things like 802.1x, and/or doing 802.1x implementations in a hybrid networkinfrastructure (i.e.Cisco, Extreme, Foundry, blah blah blah). Let me know guys...I could really use the help.-------------------------------------------------------------- ---------- This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi -------------------------------------------------------------- ----------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/wf-spi ------------------------------------------------------------------------
Current thread:
- Re: Advanced Network Infrastructure Assessment Questions.... Pete Herzog (Jul 01)
- RE: Advanced Network Infrastructure Assessment Questions.... Erin Carroll (Jul 01)